Every time resumption_context is used, it's fed into the PRF hash. Handshake Context gets hashed since that actually expands to the full concatenation and we want to be able to maintain a rolling hash. But resumption_context is always a short value and is already the size of the PRF hash. (If not resuming, it is the zero key, which is sized appropriately. If resuming, it is the size of the PRF hash of the original connection. But we require that resumptions use the same PRF, so that too will be the right size.)
Was there some other reason we needed to hash it, or is a guarantee of constant size sufficient to use it directly? If it still needs to be hashed, it seems we ought to redefine resumption_context to be Hash(HKDF-Expand-Label(...)) instead, mostly as a hint to implementors that one may as well store the final value in the ticket. David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
